Date: Tue, 17 Jul 2018 14:44:56 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Defense in depth -- the Microsoft way (part 55): new software built with 5.5 year old tool shows 20+ year old vulnerabilities
Hi @ll,
Microsoft released <https://support.microsoft.com/en-us/help/4340040/>
"July 2018 servicing release for Microsoft Desktop Optimization Pack"
some days ago.
<https://www.microsoft.com/en-us/download/details.aspx?id=57157> offers
three executable installers to update existing installations:
MBAM2.5_Client_x64_KB4340040.exe, MBAM2.5_Client_x86_KB4340040.exe and
MBAM2.5_X64_Server_KB4340040.exe
1. All three executable installers are susceptible to DLL spoofing, a
vulnerability known for 20+ years: they load multiple system DLLs
from their "application directory", typically the user's "Downloads"
directory %USERPROFILE%\Downloads\, instead from Windows' "system
directory" %SystemRoot%\System32\, resulting in arbitrary code
execution.
On a fully patched Windows 7 SP1, MBAM2.5_Client_x64_KB4340040.exe
and MBAM2.5_Client_x86_KB4340040.exe load AT LEAST the following
rogue DLLs:
msls31.dll, propsys.dll, ntmarta.dll, version.dll, secur32.dll
On a fully patched Windows 7 SP1, MBAM2.5_X64_Server_KB4340040.exe
loads AT LEAST the following rogue DLLs:
uxtheme.dll, cabinet.dll, msi.dll, version.dll
For this well-known and well-documented BEGINNER'S ERROR see
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html> plus
<https://capec.mitre.org/data/definitions/471.html>.
Additionally see Microsofts own guidance
<https://technet.microsoft.com/en-us/library/2269637.aspx>,
<https://msdn.microsoft.com/en-us/library/ff919712.aspx>,
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> and
<https://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
for avoiding this beginner's error.
Don't forget to recap Steve Sutton's "Windows NT Security Guidelines"
<http://fy.chalmers.se/~appro/nt/nsaguide.pdf>, or ACROS Security's
<https://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <https://www.ipa.go.jp/security/english/vuln/20170928_dll_en.html>
Demonstration/proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a) follow the instructions from
<https://skanthak.homepage.t-online.de/minesweeper.html>
and build a minefield of 32-bit forwarder DLLs in your
"Downloads" directory;
b) download the executable installers via
<https://www.microsoft.com/en-us/download/details.aspx?id=57157>
and save them in your "Downloads" directory";
c) execute MBAM2.5_Client_x86_KB4340040.exe and
MBAM2.5_X64_Server_KB4340040.exe: notice the message boxes
displayed from the DLLs built in step a!
d) repeat step a to build a minefield of 64-bit forwarder DLLs.
e) execute MBAM2.5_Client_x64_KB4340040.exe: notice the message
boxes displayed from the DLLs built in step d!
2. In standard installations of Windows, where the user account
created during Windows setup is used, the UNPRIVILEGED alias
UNELEVATED user (or any program running under this account) can
place arbitrary rogue DLLs in the "Downloads" directory, for
example per "drive-by download".
JFTR: the precondition "user account created during setup" holds
for the vast majority of all Windows installations.
As published in your own "security intelligence reports"
<https://www.microsoft.com/security/sir/>, from 50% to 75%
of all about 600 million Windows installations which provide
telemetry data have only one active user account.
Since the "application manifest" embedded in
MBAM2.5_Client_x64_KB4340040.exe and MBAM2.5_Client_x86_KB4340040.exe
specifies "requireAdministrator", the first vulnerability then
results in arbitrary code execution WITH escalation of privilege.
3. Although MBAM2.5_Client_x64_KB4340040.exe and
MBAM2.5_Client_x86_KB4340040.exe run elevated, they extract their
payload MBAM2.5-Client-KB00000.msp UNPROTECTED into the %TEMP%
directory.
For this well-known and well-documented BEGINNER'S ERROR see
<https://cwe.mitre.org/data/definitions/377.html> and
<https://cwe.mitre.org/data/definitions/379.html> plus
<https://capec.mitre.org/data/definitions/29.html>
In standard installations of Windows, where the user account
created during Windows setup is used, the UNPRIVILEGED alias
UNELEVATED user is the owner of the extracted payload and has
FULL ACCESS to it. This allows modification of the extracted
file(s) between creation and use.
Since the payload is processed with administrative rights
(MSIExec.exe runs under SYSTEM account) this second vulnerability
results in escalation of privilege too.
4. Built with a COMPLETELY outdated version 3.7.1224.0 of Wix toolset
<http://robmensching.com/blog/posts/2012/12/24/wix-v3.7-released/>,
MBAM2.5_X64_Server_KB4340040.exe has the same well-known and well-
documented vulnerabilities too.
See <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/>
and subsequent security advisories from the creators of Wix toolset.
Microsofts developers are most obviously UNABLE (or INCAPABLE?) to
even keep their production environment up-to-date!
Their managers most obviously don't care too, and their QA seems
sound asleep.
5. MBAM2.5_X64_Server_KB4340040.exe extracts its payload, the real
installer, into an UNPROTECTED subdirectory of %TEMP% using the
hard-coded name "{cf45df76-7d9e-499f-8d93-64ec3ee76e20}" and
executes it ELEVATED.
The UNPROTECTED subdirectory allows modification of the extracted
files between creation and use, resulting in elevation of privilege
(or denial of service).
Demonstration/proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a) add the NTFS ACE "(D;OIIO;WP;;;WD)" to your %TEMP% directory;
the ACE means "deny execution of files in this subdirectory for
everyone, inheritable to files in all subdirectories".
b) execute MBAM2.5_X64_Server_KB4340040.exe: notice its SILENT
failure.
c) create the following batch script in an arbitrary directory:
--- kb4340040.cmd ---
:LOOP
@If Not Exist "%TEMP%\{cf45df76-7d9e-499f-8d93-64ec3ee76e20}" Goto :LOOP
Rem Add some more loops here which wait for the creation of files
Rem to be overwritten, and some copy commands to overwrite them ...
--- EOF ---
d) run the batch script, then execute MBAM2.5_X64_Server_KB4340040.exe
Mitigations:
~~~~~~~~~~~~
1. DON'T use executable installers; stay far away from such crap!
2. NEVER run executable installers from UNSAFE directories like
"%USERPROFILE%\Downloads\" or "%TEMP%\"
3. Exercise STRICT privilege separation: use your privileged
"Administrator" account (especially the account created during
Windows setup) only for administrative tasks, and a COMPLETELY
separate unprivileged "standard user" account for your own tasks.
stay tuned
Stefan Kanthak